# Navi Full Platform Reflection Audit

Date: 2026-05-05
Branch: `wave1/full-platform-demo-access-and-reflection`

This audit checks whether each Phase One module is connected across mobile, website, dashboard, API, database, RBAC, and dashboard reflection. Status values:

- `Connected`: route/API/model/dashboard reflection exists.
- `Partial`: some pieces exist, but the journey is not complete.
- `Missing`: no reliable implementation exists yet.

| Feature module | Mobile screen | Website page | Dashboard page | API endpoint | Database table/model | User role required | Permission key required | Data created or updated | Where it appears in dashboard | Current status | Missing work | Priority |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Auth registration | `/(auth)/signup` | Not exposed | Users | `POST /v1/auth/signup` | `User`, `UserCredential`, `OtpCode`, `UserRole` | Guest | public | User pending account and OTP | Users after verification | Partial | Dashboard user activity/audit for registration | P1 |
| Login | `/(auth)/login` | Dashboard login | Dashboard login | `POST /v1/auth/login` | `Session` | Guest | public | Session and refresh token hash | Engagement/session indirectly | Connected | Add failed-login audit events | P1 |
| Logout | Profile | Dashboard API route | Dashboard shell | `POST /v1/auth/logout` | `Session` | Authenticated | auth.login/session owner | Revoked session | Not surfaced | Partial | Dashboard session view and audit | P2 |
| Refresh token | API client | Dashboard session cookie | N/A | `POST /v1/auth/refresh` | `Session` | Authenticated | session owner | Rotated session | Not surfaced | Connected | Add reuse detection chain revocation | P2 |
| Forgot password | `/(auth)/forgot-password` | Missing | Missing page in middleware allow-list only | `POST /v1/auth/request-otp`, `POST /v1/auth/reset-password` | `OtpCode`, `UserCredential` | Guest | public | OTP and password hash | Not surfaced | Partial | Dashboard forgot-password page | P1 |
| User profile | `/(tabs)/profile`, settings | Missing | Users | `GET/PATCH /v1/users/me` | `User` | Tourist/Premium | `profile.read.own`, `profile.update.own` | User profile fields | Users | Connected | Profile model is not separate | P2 |
| Roles | None | None | `/roles` | `GET /v1/roles` | `Role`, `RolePermission` | Admin/Super Admin | `role.read.all` | Read only | Roles | Partial | Create/update roles and Super Admin role builder | P1 |
| Permissions | None | None | `/permissions` | `GET /v1/permissions` | `Permission`, `RolePermission` | Admin/Super Admin | `permission.read.all` | Read only | Permissions | Partial | Permission assignment UI/API | P1 |
| Users management | None | None | `/users` | `GET /v1/users` | `User`, `UserRole` | Admin/Super Admin | `user.read.all` | Read users | Users | Partial | Create/update/status/role APIs | P1 |
| Provider management | None | `/partners` | `/businesses`, `/partners` | `GET /v1/businesses`, `GET /v1/memberships` | `Business`, `UserMembership` | Partner/Admin | `business.read.assigned`, `business.read.all` | Read provider data | Businesses/Memberships | Partial | Partner application approval flow | P1 |
| Staff management | None | Missing | `/memberships` | `GET /v1/memberships` | `UserMembership` | Partner Owner/Admin | `membership.read.assigned`, `user.read.all` | Read memberships | Memberships | Partial | Invite/update staff roles and scopes | P1 |
| Destinations | Discover/Saved | `/destinations` | Content/Listings currently | `GET /v1/destinations` | `Destination` | Guest | public | Read public destinations | Content not dedicated | Partial | Admin destination editor | P2 |
| Listings | Discover, detail | Destinations/partners content | `/listings` | `GET /v1/listings`, `GET /v1/listings/:id` | `Listing`, `Business`, `City` | Guest/Partner/Admin | public read, partner assigned update missing | Read and view events | Listings, Engagement | Connected for public read | Provider create/update/publish APIs incomplete | P1 |
| Hotels | `services/stays`, `listing/:id`, `rooms/:listingId` | Missing dedicated page | Listings | `GET /v1/listings?kind=STAY` | `Listing`, `Room`, `Booking` | Guest/Tourist | public read, `booking.create` | Room read, booking create | Listings, Bookings | Partial | Dedicated hotel admin/availability | P1 |
| Rooms | `rooms/:listingId` | Missing | Listings | `GET /v1/listings/:id` | `Room` | Guest | public | Read room inventory | Listings | Connected read | Provider room CRUD | P1 |
| Experiences | `services/activities`, Discover | Missing dedicated page | Listings | `GET /v1/listings?kind=ACTIVITY` | `Listing`, `Booking` | Guest/Tourist | public read, `booking.create` | Booking | Bookings | Partial | Provider activity availability | P1 |
| Taxi | `services/taxi` | Missing | Bookings/Orders | Generic listing/order APIs | `Listing`, `Booking` | Tourist/Driver | `booking.create`, driver assigned missing | Booking/order expected | Bookings | Partial | Taxi-specific estimate/book/status APIs | P1 |
| Food | `services/food` | Missing | Orders/Listings | Generic order APIs | `Listing`, `Order`, `OrderItem` | Tourist/Provider | `order.create`, `order.read.assigned` | Order | Orders | Partial | Restaurant/menu item model and provider menus | P1 |
| Pharmacy | `services/pharmacy`, translator upload pattern | Missing | Orders/Support | Generic order/upload incomplete | `Order`, `UploadFile` missing | Tourist/Pharmacy | `order.create`, provider assigned | Prescription/order expected | Orders | Missing | Private prescription upload flow/model | P0 |
| Grocery | `services/grocery` | Missing | Orders/Listings | Generic order APIs | `Order`, `OrderItem`, `Listing` | Tourist/Provider | `order.create`, provider assigned | Order | Orders | Partial | Product inventory model/CRUD | P1 |
| SIM cards | `services/sim` | Missing | Orders/Listings | Generic order APIs | `Order`, `Listing` | Tourist/SIM provider | `order.create`, provider assigned | SIM order | Orders | Partial | SIM activation status workflow | P1 |
| Emergency numbers | `/emergency` | Missing dedicated page | Content | `GET /v1/emergency` | `EmergencyNumber` | Guest | public | Read only | Not dedicated | Connected read | Admin emergency editor/audit | P1 |
| Saved destinations | `/(tabs)/saved`, Discover hearts | Missing | Engagement | `GET/POST/DELETE /v1/saved` | `SavedItem`, `EngagementEvent` | Tourist/Premium | `saved.*.own` | Saved item and engagement | Engagement | Connected | Admin saved analytics refinement | P2 |
| Bookings | `/(tabs)/bookings`, room select | Missing | `/bookings` | `POST/GET /v1/bookings` | `Booking`, `PaymentIntent` optional | Tourist/Provider/Admin | `booking.create`, `booking.read.*` | Booking | Bookings | Partial | Provider status transitions and cancellation audit | P1 |
| Orders | Service screens | Missing | `/reports` only generic | `POST/GET /v1/orders` if module exists? | `Order`, `OrderItem` | Tourist/Provider/Admin | `order.*` | Order | Orders missing dedicated page | Partial | Dedicated API/dashboard page if absent | P1 |
| Payments | Booking flow placeholder | Missing | `/payments` | `GET /v1/payments` | `PaymentIntent` | Admin/Tourist | `payment.*` | Payment intent | Payments | Partial | Real provider, mobile checkout, webhooks | P0 |
| Refunds | Missing | Missing | `/refunds` | `POST/GET/PATCH /v1/refunds` | `Refund` | Admin/Finance | `refund.create`, `refund.approve` | Refund state | Refunds | Partial | Customer refund request path | P1 |
| Trip planner | `/trip-planner/*` | Missing | Engagement/Reports | `POST /v1/trip-planner/generate`, `GET /plans` | `Trip`, `TripStep`, `EngagementEvent` | Tourist/Premium | `trip.create.own`, `trip.read.own` | Trip and steps | Engagement/Reports | Connected for deterministic provider | Real AI provider/queue/cost guardrails | P1 |
| Image translator | `/translator`, `/translator/history` | Missing | Engagement only | `POST/GET/DELETE /v1/translator` | `TranslationJob` | Tourist/Premium | `profile.read.own` currently | Translation job | Not dedicated | Partial | OCR/translation provider and privacy dashboard | P1 |
| Notifications | Settings only | Missing | Missing | Missing | `Notification` missing | Authenticated | notification.* missing | Expected push registration | Missing | Missing | Implement after core booking/order flows | P2 |
| Support tickets | `/help` likely | Missing | Missing dedicated | Missing/partial | `SupportTicket`, `TicketMessage` | Tourist/Support | `ticket.*` | Ticket | Missing | Partial | Ticket API/dashboard support workspace | P1 |
| Home banners | Home hero content | Website home | `/content` | `GET /v1/home`, content APIs | `ContentAsset`, `MarketingPage` | Guest/Admin | public read, `content.update` | Content expected | Content | Partial | Banner model/API and dashboard editor | P1 |
| Onboarding content | `onboarding/[step]` local content | Marketing sections | `/content` | `GET /v1/onboarding` missing | `OnboardingPage` | Guest/Admin | public read, `content.update` | Onboarding pages | Content | Partial | Mobile should fetch onboarding API | P1 |
| Marketing pages | N/A | `/[locale]/*` | Content | `GET /v1/marketing/pages` missing | `MarketingPage` | Guest/Admin | public read, `content.update` | Marketing content | Content | Partial | API-backed website content | P2 |
| Partner applications | N/A | `/partners` only | `/partners` | Missing public apply endpoint | `PartnerApplication` missing | Guest/Admin | public apply, admin provider write | Application expected | Partners | Missing | Add model/API/review flow | P0 |
| Partner onboarding | N/A | `/partners` | Businesses/Memberships | Partial business APIs | `Business`, `UserMembership` | Partner Owner | provider.* | Business/team/listing setup | Businesses/Listings | Partial | Onboarding checklist and first listing flow | P1 |
| Audit logs | N/A | N/A | `/audit-logs` | `GET /v1/audit-logs` | `AuditLog` | Admin/Super Admin/Support scoped | `audit.read.*` | Read logs | Audit Logs | Partial | More sensitive actions must write logs | P1 |
| Reports and analytics | N/A | N/A | `/reports`, `/engagement` | `GET /v1/dashboard/overview`, `/engagement/dashboard` | Many, `EngagementEvent` | Admin/Super Admin/Partner scoped | `admin.report.read` alias missing, current read perms | Read analytics | Reports/Engagement | Connected for engagement | Provider-scoped reports need expansion | P1 |
| System settings | N/A | N/A | `/settings` | Feature flag/settings partial | `FeatureFlag` | Super Admin | `superadmin.system.manage` missing alias | Settings expected | Settings | Partial | Strict Super Admin-only settings APIs | P1 |

## Key Findings

1. The platform has a solid connected base for auth, public catalog, saved items, bookings, trip planner, engagement tracking, audit-read, and dashboard pages.
2. The largest product gaps are partner applications, real payments, pharmacy prescription privacy, provider/staff/driver scoped operations, and content management write flows.
3. RBAC exists in the backend and is route-enforced, but permission naming still mixes older codes with the new requested Phase One codes. A normalization/alias layer is needed.
4. Demo access existed in seed data, but it must move into a safe demo-only seed path with no committed real password.
5. Dashboard reflection is now real for engagement/search/save/trip signals. Other modules need stronger write APIs and dashboard pages.